Pun intended. We all use cloud computing resources every day. All you have to do is go on the Internet, and chances are the website you are accessing uses cloud services. Our website, www.hipaasecurenow.com, uses the Amazon cloud. There are many definitions of cloud services, but at a high level it is the use of computing resources, generally services and storage, from another organization. So how does this relate to HIPAA? And what’s the big deal?
Many Covered Entities store healthcare data in the cloud. Common applications include a cloud based EHR, backup of an onsite server or sending email with ePHI (encrypted email, of course). The organizations that provide the cloud services (Cloud Service Providers) are Business Associates to the Covered Entities because they are storing the CE’s data. Easy – right?
But what if a CSP stores only encrypted ePHI and does not have a decryption key? In that situation, the CSP cannot access the ePHI, so why would they be a BA? The answer has to do with more than just encryption. According to HHS/OCR:
While encryption protects ePHI by significantly reducing the risk of the information being viewed by unauthorized persons, such protections alone cannot adequately safeguard the confidentiality, integrity, and availability of ePHI as required by the Security Rule. Encryption does not maintain the integrity and availability of the ePHI, such as ensuring that the information is not corrupted by malware, or ensuring through contingency planning that the data remains available to authorized persons even during emergency or disaster situations. Further, encryption does not address other safeguards that are also important to maintaining confidentiality, such as administrative safeguards to analyze risks to the ePHI or physical safeguards for systems and servers that may house the ePHI.
Because there are so many data breaches these days, we reflexively think about HIPAA and ePHI confidentiality. But as noted above, HIPAA also addresses the integrity and availability of ePHI. Availability of patient information is critical to providing patient care, and high availability is necessary to make best clinical decisions at the point of care.
For example, take the case of Hollywood Presbyterian Medical Center. Last February, the hospital suffered a ransomware attack. The computer network was down for more than a week. Some patients had to be transported to other hospitals. Other systems, like CT scans and pharmacy were offline. Clearly this is a horribly undesirable outcome which affected patient care.
Part of the HIPAA Security Rule is making sure that each CE has proper backup and disaster recovery procedures. So while CSPs may not have access to ePHI, they can affect the integrity and availability of the ePHI, and are therefore they are considered a Business Associate.
Key takeaways for Covered Entities:
- Don’t let a CSP tell you they are not a Business Associate – they are. Make sure you sign a BA agreement.
- Something to pay attention to in your contract with the CSP: the Service Level Agreement. The SLA is a common term in telecom and IT contracts. It spells out your CSP’s commitment to availability. You need to make sure that this commitment is high enough for your requirements.
- As the case with Hollywood Presbyterian above shows, something can always go wrong with your systems. Make sure you have good backups and a disaster recovery plan that you can implement in short order in the event that your systems go down.